32bitcafe/guestbook
1
1
Fork 0
Code Issues 12 Pull Requests Packages Projects 1 Releases Wiki Activity

allow remote comments only from expected url

Browse Source
This commit is contained in:
yequari 2025-06-25 20:05:37 -07:00
parent a72d32850b
commit 306053b1e3
2 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
cmd/web/handlers_guestbook.go
View File

@ -257,6 +257,11 @@ func (app *application) postGuestbookCommentCreateRemote(w http.ResponseWriter,
return return
} }
if normalizeUrl(r.Header.Get("Origin")) != normalizeUrl(website.SiteUrl) {
app.clientError(w, http.StatusForbidden)
return
}
if !website.Guestbook.CanComment() { if !website.Guestbook.CanComment() {
app.clientError(w, http.StatusForbidden) app.clientError(w, http.StatusForbidden)
return return

10
cmd/web/helpers.go
View File

@ -7,6 +7,7 @@ import (
"net/http" "net/http"
"runtime/debug" "runtime/debug"
"strconv" "strconv"
"strings"
"time" "time"
"git.32bit.cafe/32bitcafe/guestbook/internal/models" "git.32bit.cafe/32bitcafe/guestbook/internal/models"
@ -127,3 +128,12 @@ func (app *application) durationToTime(duration string) (time.Time, error) {
result = time.Now().UTC().Add(offset) result = time.Now().UTC().Add(offset)
return result, nil return result, nil
} }
func normalizeUrl(url string) string {
r, f := strings.CutPrefix(url, "http://")
if f {
return r
}
r, _ = strings.CutPrefix(url, "https://")
return r
}